Jerald's TechnoBlog : Active Directory

VB.Net: Returning AD UserName from Multi-Domain Forrest

Jerald Carter — Mon, 01 Oct 2007 14:06:00 GMT

Growth sometimes brings out the unexpected flaws in designs. What seems like a quick solution, may intern lead to what I have affectionately call 'Learning Opportunities'.After a recent expansion from a single domain environment to a multi-domain forest, the following VB.Net function ceased functioning for retrieving the user's full name.

Public Shared Function GetADUserName() As String
    Dim returnString As String = String.Empty
        If HttpContext.Current.User.Identity.IsAuthenticated Then
            Try
               Dim DomainUser As String = WindowsIdentity.GetCurrent.Name.Replace("\", "/")
               Dim ADEntry As New DirectoryEntry("WinNT://" & DomainUser)
               Dim FullName As String = ADEntry.Properties("FullName").Value

               returnString = FullName.Substring(FullName.LastIndexOf(",") + 1)
               returnString &= " " & FullName.Substring(0, FullName.LastIndexOf(","))
            Catch ex As Exception

            Finally

            End Try
      End If
      Return returnString
End Function

Doing some research resulted in the realization that the WinNT provider would only work correctly in a 'flat domain'. Some modifications to an existing application allowed for the following replacement utilizing the LDAP provider in the DirectoryServices library. The key is to enable Referral Chasing.

Public Shared Function GetADUserName() As String
   Dim returnString As String = String.Empty
      If HttpContext.Current.User.Identity.IsAuthenticated Then
         Try
             ' Set the root search path
             Dim ldapPath As String = "LDAP://DC=MyDomain,DC=COM"
             Dim entry As New DirectoryEntry(ldapPath)
            ' AppSettings holds username and password
            ' This allows the query to run outside the context of the impersonated user
            ' This user currently is delegated rights in AD
            entry.Username = ConfigurationManager.AppSettings("AdUser").ToString
            entry.Password = ConfigurationManager.AppSettings("ADPassword").ToString
            entry.AuthenticationType = AuthenticationTypes.Secure

            ' Retrieve the current user's ntid
            Dim DomainUser As String = WindowsIdentity.GetCurrent.Name.Substring
                         (WindowsIdentity.GetCurrent.Name.LastIndexOf("\"))

            ' Set your filter
            Dim filter As String =
                   String.Format("(&(objectClass=user)(sAMAccountName={0}))", DomainUser)
            Dim searcher As New DirectorySearcher(entry, filter, New String() {"displayName"})

           ' Allow searches to span multiple domain referrals
           searcher.ReferralChasing = ReferralChasingOption.All
           Dim result As SearchResult = searcher.FindOne()

          If Not IsNothing(result) Then
             'Verify the property was returned
             If (result.Properties.Contains("displayName")) Then
                returnString = result.Properties("displayName")(0)
             End If
          End If
       Catch ex As Exception
           'Some error handling here
       Finally

       End Try
   End If

   Return returnString
End Function

More LDAP Queries: Accounts never logged in

Jerald Carter — Wed, 17 Aug 2005 10:30:00 GMT

In continuing to audit a network, the number of accounts in Active Directory did not match employee records, nor previous asset records.

While using the interval variable for lastLogonTimeStamp will find accounts that have not logged on in a specific time period, it will not find accounts which have never logged on. The following queries will find them:

(&(objectCategory=Computer)(!lastLogonTimeStamp=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))
(&(objectCategory=User)(!lastLogonTimeStamp=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))

LDAP to find users with Remote Access Privileges

Jerald Carter — Tue, 26 Jul 2005 10:35:00 GMT

We have all been in the position where we have started a new job with an existing organization where security was somewhat lax. Inevitably during the process of locking the network down you have to deal with the VPN / Dial-up access problem.

The first step is to determine who already has access. This is fairly easy to accomplish using LDAP filters.

(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))

This filter will show you all of the user accounts that have Allow Access checked for Remote Access on the Dialin Tab of the ADUC MMC.

Exchange 2003 Query Based Distribution Lists

Jerald Carter — Thu, 23 Jun 2005 08:57:00 GMT

This week I was faced with finding a way to clean up a few of the query based distribution lists that were created by a previous consultant group. The major problem with the queries is that they didn't take into account the dynamics of organizational turn over. The query based DL's were configured to send to every object that had an email address in that exchange store for each OU. This meant that NDR's (Non Deliverable Reciepts) were being sent for every disabled account in those OU's.

Without addressing the business rules of user account retention, I adjusted the LDAP filters to check the disabled flag on the userAccountControl. Now the queries will only send email to active accounts.

Global All Users Distribution List
(&(&(&(&(mailnickname=*)(|(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(homeMDB=*)(msExchHomeServerName=*))))))))

Active Directory Custom Filters

Jerald Carter — Sat, 11 Jun 2005 07:48:00 GMT

Over the last month I have been working more intensely with Windows 2003 Active Directory. In this process I have found the need to create custom filters to make finding objects and updating security policies easier. So thought it would be helpful to others to share my set of custom filters.

To use these filters you need to open the ADUC snap in and right click on Saved Queries. Select 'New' then 'Query'. Click the 'Define Query' button. A new window will open. In the Find drop down menu, choose 'Custom Search', and click the 'Advanced' tab. Paste the query into the textbox and select 'OK'. Now you can give your query a name and click 'OK' again. You should immediately see the results of your query in the right hand window portion of the snap in.

User Management

Locked out Accounts
(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295)(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)))
All Contacts
(&(objectClass=contact))
All Users
(&(objectCategory=User)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!objectClass=Contact))
Disabled User Accounts
(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2))
Account Passwords Never Expire
(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))
User Accounts Inactive for 60 Days
(&(&(objectCategory=User)(lastLogonTimeStamp<=XXX)(!userAccountControl:1.2.840.113556.1.4.803:=2)))

This filter requires a bit of massaging to get it to work correctly. I modified a vbscript to produce the correct number of 100 nanosecond intervals between January 1, 1601 and 60 days prior to the current date. I found the script; however, I can not remember to whom the credit should be long. The Get_60_Day_Interval.vbs script will respond with a message box with the correct long integer you need. You will then need to replace XXXX in the filter with that number (e.g. 127578167790000000). The following is the text of the BLOCKED SCRIPT

Dim dtmDate, dbl100NanoSecs
Const MAXIMUM_PASSWORD_AGE_IN_DAYS = 60

dtmDate = DateAdd("d", -MAXIMUM_PASSWORD_AGE_IN_DAYS, Now())
dbl100NanoSecs = 10000000 * (DateDiff("s", "1/1/1601", dtmDate))
dbl100NanoSecs = _
FormatNumber(dbl100NanoSecs, 0, False, False ,0)

WScript.Echo ("Value for query = " & dbl100NanoSecs)

Get_60_Day_Interval.vbs

Computer Management

Disabled Computer Accounts
(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2))
All Computer Accounts
(&(objectCategory=computer)(name=*))
Windows XP Computers
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows XP*))
Windows Server 2003
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=*Server 2003))
Windows 2000 Server
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Server 2000*))
Windows NT
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows NT*))
Windows 2000
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows 2000*))
Windows Server 2003 no Service Packs
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=*Server 2003)(!operatingSystemServicePack=*))
Windows XP no Service Packs
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows XP*)(!operatingSystemServicePack=*))
Windows 2000 no Service Packs
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows 2000*)(!operatingSystemServicePack=*))
Computer Accounts Inactive for 60 Days
(&(objectCategory=Computer)(lastLogonTimeStamp<=XXXX)(!userAccountControl:1.2.840.113556.1.4.803:=2))

Again this filter uses the Get_60_Day_Interval.vbs script. You will then need to replace XXXX in the filter with that number (e.g. 127578167790000000)

Group Management

All Distribution Groups
(&(objectCategory=group)(sAMAccountType=268435457))
Mail Enabled Groups
(&(objectCategory=group)(mail=*)(!sAMAccountType=268435457))
All Empty Groups
(&(&(|(&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))(&(objectCategory=person)(!objectSid=*))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14)))(objectCategory=group)(!member=*)))